ZapEHR is built with security and compliance as our top priority. ZapEHR systems are architected against breach or loss, malicious or accidental. Like the clinical organizations we serve, "first, do no harm" is baked into our culture. We view everything we do from the perspective of securing our systems and data, whether technical or operational.
ZapEHR stores data in multiple isolated, HIPAA-compliant environments. In multi-tenant environments, customer data is logically separated at each level of the network, application, and data stacks, providing multiple fail-safe mechanisms. In addition to organization-level segmentation, ZapEHR provides a robust, customizable access-policy implementation allowing organizations to further restrict access to data according to organizational needs.
ZapEHR protects three types of persistent data at rest: discrete files, logs, and database instances. All logs, discrete files stored on the ZapEHR platform, and database instances are encrypted at rest with the AES-256 encryption algorithm. Data in transit is encrypted with SSL using TLS 1.2+.
ZapEHR services sit behind a modern Web Application Firewall (WAF). Web Hosting and network API services are scalable and resilient, with automated protection against denial of service and bot attacks. All inbound traffic communicating with ZapEHR must use HTTPS, with a minimum of TLS version 1.2. Insecure HTTP traffic is upgraded to HTTPS or discarded.
ZapEHR's infrastructure is serverless (opens in a new tab), highly available, and fault-tolerant. This means there are no servers to manage, no operating systems to patch, and that there is no software to install to ensure a secure compute environment. Services scale automatically to meet demand, and recover from failures without any human intervention. In the event of unexpected downtime services will automatically migrate to other availability zones to ensure continuity of service.
Linters, static code analysis, unit tests, integration tests, end-to-end tests, and manual code reviews ensure code quality. cdk-nag (opens in a new tab) helps enforce compliance with cloud benchmarks provided by the Center for Internet Security by automatically flagging and preventing deployment of noncompliant resources. ZapEHR performs both internal and external security auditing and testing including independent third-party penetration testing and vulnerability scanning.
ZapEHR uses Security Hub to maintain a centralized view of ZapEHR's security posture at all times across multiple dependent services. This 'single pane of glass' monitors compliance against CIS Benchmarks v1.2.0, as well as validating the security posture of cloud asset and account configurations. AWS Guard Duty intelligently monitors external threats, and CloudWatch alarms alert ZapEHR teams of any infrastructure, security, and compliance issues.
All employees must complete comprehensive security awareness training and review our internal policy documents annually.
Please contact us with any security related concerns or question at [email protected]